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Abstract — Abstract interpretation is a general methodology 
for building static analyses of programs. It was introduced by P. 
and R. Cousot in [3]. We present, in this paper, an application of 
a generic abstract interpretation to domain of model-checking. 
Dynamic checking are usually easier to use, because the concept 
are established and wide well know. But they are usually limited 
to systems whose states space is finite. In an other part, certain 
faults cannot be detected dynamically, even by keeping track 
of the history of the states space.Indeed, the classical problem 
of finding the right test cases is far from trivial and limit 
the abilities of dynamic checkers further. Static checking have 
the advantage that they work on a more abstract level than 
dynamic checker and can verify system properties for all inputs. 
Problem, it is hard to guarantee that a violation of a modeled 
property corresponds to a fault in the concrete system. We 
propose an approach, in which we generate counter-examples 
dynamically using the abstract interpretation techniques. 

a) Keywords: static analysis, model-checking, abstract 
interpetation, refinement 

I. Introduction 

Being given that the number of state of a model believes 
in an exponential way with the number of variables and 
components of the system, the model-checking became com- 
plicated to treat in an automatic way. In order to make this 
work realizable, it is necessary to reduce the sizes of these 
models with an aim of reaching time and reasonable memory 
capacities. The techniques of reduction seek to suppress 
the harmful effects of the combative explosion. When the 
graphs of behavior comprise several million or milliards of 
states and transitions, the physical limits of the memory are 
quickly reached. It is then necessary to resort to techniques 
compressions of the graphs of behavior. Most known is based 
on the BDD (Binary Decision Diagrams). At the enumeration 
time, to decide if a reached state was already met requires 
to traverse the explored part of the graph. This subgraph, 
which does not cease growing bigger, must be arranged 
in the read-write memory. The limits of this memory are 
quickly exceeded and the implementation of algorithms of 
pagination know a considerable fall of performances. The 
methods of abstraction make it possible to eliminate the 
proliferation from different states(ones from the other) by 
possibly unimportant details within sight of the properties 
to be checked. It is essential that the small-scale model 
preserve sufficient information to produce the same results 
as the models of origin and to preserve the same properties 
that one wishes to check. These two exigences must be 
considered with attention at the time of the generation of a 



abstract model starting from a concrete model. To conceive a 
"good" method of reduction consists to produce a reduction 
relation verifying three criteria: an important reduction ratio, 
a relation of strong preservation and an easy deduction of 
the relation of reduction starting from the description of the 
system, the ideal being the construction of the reduced graph 
directly starting from the description. The way whose details 
of the abstraction will be selected for the checking can be 
made in an automatic or manual way. The manual technique 
includes abstract interpretations selected by the user. The 
abstractions considered generally preserve the properties in 
a weak way, which means that they are only preserved 
abstracted model with the concrete model. Thus, if one can 
guarantee that a property is checked, that is different with 
its negation. The abstract interpretation is a methodology 
aiming at defining, analyzes and justifier your techniques 
of approximate computation of properties of systems in [3]. 
Whatever the semantics may be used. It then consists in 
placing the analysis not in the concrete domain but in a 
abstract domain, (simplified and limited) which conserves the 
search properties, the major disadvantage is that the results 
are in general less precise and that one needs accommodate 
approximations of the properties. In our paper, we present a 
technique of abstraction called abstraction by predicate of a 
refinement to reduce the generality and the minimality of the 
analysis, thus a violation of a property detected on one of 
abstract path has a strong probability of existing on a path of 
the concrete model. Analysis is made at the global state space 
level: traversal algorithm (similar to the one used to build 
the state space) is used to check out deadlock, livelock or 
divergent states. Example pathes starting from the initial state 
and leading to a deadlock, livelock or divergent state can be 
extracted. To this end, we have to collect during the search of 
these special states the intermediate state sets reached before 
them, verication is based on bisimulation minimizations and 
comparisons . 



II. Generality 



Small Example: The rule of Signs 
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Such that the following diagram commutates 



Sgn x Sgn 



Sgn 



a 



Int x Int 



y 



X 



Int 



Consistency (soundness): 

\/x,y <E Int : X x y S y(cc(x) x a(y)) 



A. Definition 

Abstract Interpretation is a general methodologies for 
automatic analysis of the run-time properties of system.. 
The problem is that the exact analysis may be very expen- 
sive, sometimes through decidable properties may be NP- 
complete. The idea is to find a decidable approximation 
which is soundness and calculable. 

B. Mathematical theory of Abstract Interpretation 

Often, AI refers to the concept of connection galoisienne 
a 4-tuple (C,A,a,Y) where C and A are complete lattices , 
y : A — > C and a :C — > A are monotonous functions 
such as: 

Vj3ea: a(y(/3)) =p, 
VCeC: y(a(c)) >C. 

Impossible into practice of generating and analyzing all 
possible traces of execution for a given program . 

C. Motivation 

Abstract interpretation is based on three fundamental ideas 

abstract domain, abstract operators and point fixes compu- 
tation Abstract domain and abstract operators are used to 
carry out a program on abstract values. Computation of the 
fixed point: directs the process on abstract values (define 
in a certain way the semantics of the program) Objective: 
To obtain information on the execution and the results of 
program. Provided that the abstract domain and operators 
satisfy certain constraints. 



D. Semantics 

Its definition has two view points: 

• Theoretical associates a meaning to objects handled by 
the programs. 

• Piratical associates a program a semantic function ( 
stomata). 

< @>,e >^< &>',e' > 
= x.S?' and e = x(e) 
X is a transition related. Note: 

x[0>](e o ) =cal 

if cal =< _,e„ > then the results of the program are the 
values of variables in the last state. 

• Denotational 

X : (D — ► D) — > (D — ► D) 

X = Xf.Xx.{ if p(x) then x else f(h(x)) fi 

where p is a predicate , h any function. Example 
F91 McCarthy: 

X = Xf.Xx.{ if x> 100 then x- 10 else /(/(x+ll) fi 

1 ) Abstract Domain: : Any program P handles data which 
belong to a D s domain says standard. To make abstract 
interpretation will consist in choosing an abstraction of data 
Dabs First Approach 

Q = \x\ <— 1\,... ,x„ <— f„} 

j3 approximates 9 iff 

j3 = {x\ <— prop(h), . . . ,x n <- prop(t„)} 

this define concretes semantics 
More often no-calculable. 

Construction process P can be consider like a partial function 
of 

P:D| S " — >D^n,mO 
Example: function of McCarty known as functions* 1 
F91(x) = if x> 100 then x- 10 else F91(F91(x+ 11)) 

int F91 (int x) 
int F; 

if (x >100) f =x-10; 
else f=F95 (F95 (x+11) ) ; 
return F; 

int F91McCarthy (void) { 
int x; 
scant ( &x) ; 

printf ("value of F91 of %d = %d ", 
x, F95(x)); 

exit (0) ; 



Note:: There is not a proof of termination of F91McCarthy, 

VX e 2f 

The idea is to replace Z by its power set ^(3f). 
We get the following definition: 

F9l(X) = {x-\Q:x> 100AxGXCZ}U 
F91(F91({;c+ll :x< IOOAxgX CZ})) 

It is easy to show that F91(Ci) = C2 verifies the condition: 

VxeC l 3yeC 2 :y = f(x) 

Note:: the calculation of such function is too expensive 
for simple value, the definition of the operations on a such 
domain is too complex. 

Second Approach 
To choose "a good" system of representation of properties 

J3 = {x\ <— a(prop(t\)),...,x„ <— a(prop(t n ))} 

Choice of an (judicious) approximation of each element of 
^(JT) by an interval [min..max] 

D abs = {[s..t] :s,t GZU{-°o,+oo}} 

we define an order on D a i, s , noted C : [s..t] C [s'.t 1 ] iff s > s' 
t < t' 

a) Lemma:: (D a b s ,C.), is a lattice whose lower bound 
is [] and the upper bound is [— »,+»]. Abstraction and 
concretization function: 

a : C — ► A : C — ► a(c) = [min(c)..max(c)] 
y.A — > C:a^ y(a) = [s,s+l...,t—l,t] 

with a = [s..t] such that they verifying the constraints of 
coherence: 

VcgC: y(a(c)) DcVaeA: a(y(a)) =a. 

b) Remark: 

• an equivalent abstract of a program carries out the same 
standard operations that the original except that the 
domains are different. 

• for a real Pascal, C or Java programs, the work of rewrite 
would be too tiresome. In fact one defines abstracted 
operators, the abstract interpretor uses those to carry 
out calculations on the abstract data by interpreting the 
program to be analyzed. 

• In practice each operator or function of the language 
must have an abstract equivalent. The quality required 
is their consistency, their coherency with respect to their 
equivalent concrete operator. For the reason of perfor- 
mance, one requires the efficiency and convergence to 
guarantee a termination and acceptable computing time. 

Abstract version of the F91 function: 

F a 9l([s..t]) = [max(9l,s-l0)..(t - 10)]U 

F fl 91(F fl 91([(j+ll)..m«(f+ll,lll)])) 



VIi,Ij£D a : I,= [s.j],I J = [J.J r \=> 

IiUIj = lub(Ii,Ij) = [min(s)..max(t,you)], 
The abstract calculus: 

F fl 91([-oo.. + oo]) = [91,+oo]uF fl 91(F fl 91([-oo..,lll])) 

F fl 91([-oo ..111]) = [91,101] UF fl 91(F fl 91([-oo ..,111])) 

Note:: The set of functions of D a — ► D a can be provided 
with an order / < G iff V/ e D a : /(/) C g(I) 
The fixpoints calculus: it is useful at the time of the 
recursive calls, to ensure the termination while proceeding 
by successive approximations. 

c) Complete lattice: 

. a lattice iff 3_L € D and 3T e D 

• complete iff 

- VXC D3U G D : \/X G Xx < U and 

- VX <ZD3LED:VX eXx>L 

It is obvious thats (D,<) satisfy this conditions. 

d) Monotonicity and continuity: Let A be a complete 
lattice with a partial order < and T : A — ► A a transformation 

• T is monotonous iff VX,y G a : X < y => T(x) < T(y) 
. T is continuous iff VXCa: T(lub(X)) = lub(T(X)) 

The transformation that we consider is a functional from a 
set of function in i ts self. 

T : (D a — > D a ) — » (D a — » D a ) 

(TF a 9l)([s..t\) = [max(9l,s-lO)..(t-lO)]U 
F a 9l(F a 9l([(s+n)..min(t+n,ni)})) 

e) Lemma:: T is continuous and monotonous: 

. VIuIjeDalliKIj^ f(Ii)<f(Ij) 

. v/i c i 2 c ... c /„ c ... =>• f(u i=1 ...„ii) = u i=1 ..M) 

Theorem Let f([s..t]), the computing fixpoint consist of T 

to /(M). 

• If the constraints on the domain and the operators are 
satisfied: 

then any fixpoint of T is a correct approximation of the 
function / 

• the smallest fixpoint of T exists and constitutes the best 
approximation of / 

• the smallest fixpoint of T coincide with the limit of an 
increasing 

• the smallest fixpoint of T coincide with the limit of an 
increasing sequence of approximation: /o < /1 < fi < 
/o- < /»<■■■ 

such as: f (I) = _L V/ G D a 
fk+i=T(f k >)Vk>0 
2) Fixpoint Approach: Fixpoint Approach is based on 
the monotonicity (continuity) of the transformation of the 
tuples set representing the pre and post condition for all 
predicate. Termination of the algorithm in the case of an 
infinite abstract domain, it did not guarantee. Which is the 
case if one makes an infinity different recursive call. One can 
limit oneself to abstract fields finished in certain cases that 
can averrer genant itself or unacceptable. A possible solution, 
would be to replace an infinite sequence of approximation 
by a number of the approximate values. 



a) Approach Widening/Narrowing: Suppose the ab- 
stract semantics of the program given by a function fp : 
D a bs — ► D a i, s . The analysis proceeds as follows: 

1) Widening: calculation of sequences limit X built by: 

xo = J- 

Xi+i =Xi and fp(xi)) Qxi 
elsexiSj fp(xi) 
• Narrowing to improve the result obtained by the 
widening: by 
calculating the sequences limit of Y built by: 
y = UX 

y i+ \ = wdfpfyi) = y,thenyi 
else y { A fpiyi)) 

b) Properties: 



Let Prog = [f, J = 
, (pk predicates over the 



1) Widening: \? : I x L - 
and Y ^XxyY 
^XUY CX\jY 
LX7X=X\7±=X 

2) Narrowing A : I x L - 
yx,YeL: YQX = 



L yx,Y£L: XQY\jY 



L 



YCXAYTX 



c) Widening applied to the intervals: 

[h , u o] V [h > u i ] — [ an d 1 1 «othen + °oelseMo] 

Example instead of making the recursive call with 
F fl 91([-oo..lll]) one will do it with F fl 91 ([-«>.. + «,]). But 
a loss of precision would be introduced. This will allow to 
speed up the computation of the fixpoint. 

III. Refinement 

d) Motivation: The abstract interpretation framework 
establishes a methodology based on rigorous semantics for 
constructing abstraction that overapproximate the behavior 
of the program, so that every behavior in the program is 
covered by a corresponding abstract execution. Thus, the 
abstract behavior can be exhautively checked for an invatiant 
in temporal logic. Refinement guided by counterexample 
consist on approximation of the set of sates that lie on a path 
from initial state to a bad state which is successsively refine 
that is done by forward or backward passes. This process is 
repeated until the fixpoint is reached. If the the resulting set 
of state is empty then the property is proven. Otherwise, yhe 
methode does not guaranties that the contreexample trace is 
genuine. 

A. Preliminaries 

Definition 3.1: 

Theorem 3.1: Cousot77 
Let S = {Q,Qmit,Y*i—>) a system representing the semantics 
of program. The system S A = (Q A , Qf nit — > A ) is an ab- 
straction of S <^=> there exists a Galois connexion: 
a : 5»( Q ) &(Q*),y : &{Q A ) ,— » &(Q) 
such that 

• Qinit c Y(Qt„n) 

• Vt e I,Vgf c &.post[l]{y(Qt)) C y(post[ 

](y(Qf)) 

Definition 3.2: Predicat Abstraction Graf &Saidi97 



e) Abstract State: 
{?!,..., T„},/m'f) and q>i, 
Prog's variables 

we define an abstraction S A 
following: 

• 2^ = B k , is the valuations' set of k boolean 
variables, 

any subset can be represented by a boolean expres- 
sion over the variables B\,...,Bk 
. S A as the form Prog A = {f A ,.^ A = {tf ,. . . , X A },Init A ) 

f) Abstract transition: Let £? A , be an abstract transi- 
tion, it must satisfy the condition of the definition of abstract 
program , s.t. all transition T, post [x A ] (Pb), where x A is 
the abstract transition corresponding to z, have to represent 
all concrete states q' which are successors by T of concrete 
state q represented by Pg. We must show :: post [t](/(Pb)) => 

B. Algorithmic checking of refining 

This model-checking needs methodological and correct- 
ness conditions: 

1 ) Methodological conditions: 

• New actions and variables will be introduced by refining 

• the variables of refine system and abstract system must 
be linked by a "collage" invariant. 

• 

2) Correctness conditions:: 

• simulation of the refine system by the abstract 

• no cycle between the new action 

• no new deadlock 



Sysl&me abstract 



Sysl&me rafflnS 




Fig. 1. Simulation with old actions 

It is a question of carrying out an iteratif calculation of 
the simulation of TS2 by TSi cfr figures Q] and [2] where 
transisition a is replace by T. The algorithm terminates when 
the fixpoint is reached. 

Theorem 3.2: • If Pi is property satisfied by TS\ and 
TS2 refines TSi then 



TSi \=P h \-TS 2 QTSi 



Systems abstrail 




Sysl&me railing 
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Fig. 3. Example of predicate abstraction 



Fig. 2. Simulation with new actions 



• If Pi is property satisfied by TSi and TS 2 refines TSi 
and if P 2 is a reformulation of Pi then 

TSi \=P h \-TS 2 QTS l 
TS 2 ^P 2 

Definition 3.3: : Let K, K' two systems (resp concrete 
and abstract), we call false-counterexample or negative-false 
a false universal property in K' but true in K We say that 
the counterexample specified in K' cannot be reproduced in 
K 

a) Corollary: If K' is too small, it is very probable that 
it appears the negative one. If K' is too large, then the check- 
ing is not possible the refinement guided by counterexample 
is thus a natural approach to solve this problem by using 
a adaptive algorithm which gradually creates an abstraction 
function by the analysis of false-negative: 

b) Pseudo Algorithm: 

1. Initialization: 

generate a first abstraction function; 

2. Model-Checking: 

check the model, 
if the checking is a success: 
then 

the specification is correct and 
the algorithm terminates 

else 

generate a counterexample from the abstract model 

verify if this counterexample is a negative-false 

if It is a success then terminate 

else refine the abstract function such that 

the negative-false can be avoid 

goto step 2. 

IV. Summary 

It is thus a question of starting by carrying out an 
approximation of a way which carries out initial state in a 
bad condition. Then, a refinement "forwards" or "backward" 
is carried out, and this process is to repeat until a fixpoint is 
met. If the resulting set of states is empty then the property is 
prove, since one no bad condition is reachable, else, nothing 
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Fig. 4. abstraction too coarse 



guaranteed the value of against example which perhaps 
distorted by approximation coarse. Heuristics is employed 
to determine the subset of the reachable states since the 
initial states. If an equivalence is found, it really acts of an 
error which can be deferred like a bug, one speaks about 
positive-false. Abstraction by Predicate : the checking of 
program by abstraction of closed predicate is a technique 
of checking of program by abstract interpretation where the 
abstract domain is composed of the set of guard relating to 
the states and the transitions from the system. This domain 
can be generated automatically and checked by a theorems- 
prover. Like, the set of predicates is always finished, it can 
be coded by a vector of Boolean, which makes it possible on 
the other hand to use the model-checker for calculations of 
fixpoint. Si, the domain is very large, one can use a chaotic 
iterator and to use a widening if it is necessary of speed up 
the convergence. The termination and reachability decidable 
in this case. The one limitation of this technique of checking 
by predicate abstraction is that the processes of refinement, 
which primarily consists in calculating the weakest invariant, 
are extremely slow. This obligates the users to require at least 
the atomic predicate necessary to the proof. This fact the 
human intervention which specific is given must be repeated 
for different programs even if they are very similarities, and 
it 

V. Conclusion and Future Work 

It has been shown that static checker can cover a large 
number of potential faults, their automatic usage is still 
far from realistic. However, as a verification step prior to 
testing or code review, static checkers, can already enhance 
the software development process today. Several techniques 
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Fig. 5. Example of refinement 

like Altarica, B or CSP2B were proposed to specify and 
check reactive systems by using hierarchic development 
by refinement. In this case, the systems design is realized 
gradually by increasing the systems design to each step of 
the specification from a very abstract sight of the system until 
its implementation. For us, a system implements (refines) 
another system if all the traces of execution of the most 
detailed system are too traces of the most abstract ( modulo 
the introduction of details during refinement). The checking 
of the system thus will use refinement to model the initial 
system in a more precise way, if the model-checker provides 
a erroneous result consequence of coarse approximation at 
the time of the abstraction. 
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